Bool search must_not is not useful

shockerY · March 15, 2018, 7:54am

I use bool to search,it like this:

{
    "query": {
        "bool": {
            "must": {
                "match": {
                    "message": {
                        "query": "disconnect"
                    }
                }
            },
            "must": {
                "match": {
                    "message": {
                        "query": "server"
                    }
                }
            },
            "must_not": {
                "match": {
                    "message": {
                        "query": "pomelo_list"
                    }
                }
            },
            "must_not": {
                "match": {
                    "message": {
                        "query": "socket"
                    }
                }
            },
            "filter": {
                "range": {
                    "@timestamp": {
                        "gte": "2018-03-15T07:21:56.950Z"
                    }
                }
            }
        }
    }
}

the search result like this:

{
  "took": 49,
  "timed_out": false,
  "_shards": {
    "total": 109,
    "successful": 109,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": 2,
    "max_score": 8.321762,
    "hits": [
      {
        "_index": "vrmmo_index_031203",
        "_type": "logs",
        "_id": "AWIoiWnwz80RW__iJ7Gr",
        "_score": 8.321762,
        "_source": {
          "@version": "1",
          "host": "Dell7020-5147",
          "@timestamp": "2018-03-15T07:21:56.950Z",
          "message": "server disconnect\r"
        }
      },
      {
        "_index": "vrmmo_index_031203",
        "_type": "logs",
        "_id": "AWIoix8_z80RW__iJ7WF",
        "_score": 7.960806,
        "_source": {
          "@version": "1",
          "host": "Dell7020-5147",
          "@timestamp": "2018-03-15T07:23:48.907Z",
          "message": "server [pomelo_list_1521095356265] disconnect\r"
        }
      }
    ]
  }
}

We can see the second doc contain "pomelo_list" is in the result, why 'must_not: pomelo_list' is not useful?

I have a test, if "pomelo_list" in mesaage without "[ ]", must_not is worked.

How can i do to make the search result right?

dadoonet · March 15, 2018, 9:33am

Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.

Or use markdown style like:

```
CODE
```

There's a live preview panel for exactly this reasons.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.

Please don't post images of text as they are hardly readable and not searchable.

Please update your post.

shockerY · March 16, 2018, 3:44am

I'm grateful for your guidance.Thank you, I fell sorry about that,I updated it.

shockerY · March 16, 2018, 3:44am

Thanks again, I should respect people who read more.

system · April 13, 2018, 3:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.